“Several security holes have been closed, and other bugs noted
in the original RPMs have been corrected.”
Problem description:
Red Hat Linux 6.0 shipped with KDE 1.1.1pre2, the latest release
available at the time we went into production. There were a number
of configuration and security bugs in the original packages.
kmail, the kde mail reader, had a bug related to decoding mime
attachments in an unsafe manner. Attachments were written using an
easily predictable filename to a temporary directory. This could
could then be be exploited to overwrite arbitrary files owned by
the person using kmail via a symlink attack.
Solution:
Upgrade to KDE 1.1.1 final, which fixes a number of bugs present
in the previous release and contains additional patches to correct
security holes in kmail and kvt.
-----BEGIN PGP SIGNED MESSAGE-----
- ---------------------------------------------------------------------
Red Hat, Inc. Security Advisory
Synopsis: KDE update for Red Hat Linux 6.0
Advisory ID: RHSA-1999:015-01
Issue date: 1999-06-21
Keywords: kde kdm kvt kmail 1.1.1
- ---------------------------------------------------------------------
1. Topic:
New KDE RPMs are available for Red Hat Linux 6.0. These RPMs upgrade
the 1.1.1pre2 release to 1.1.1 final + fixes. Several security holes
have been closed, and other bugs noted in the original RPMs have been
corrected.
2. BugIDs fixed:
2877 3433
3. Relevant releases/architectures:
Red Hat Linux 6.0, all architectures
4. Obsoleted by:
5. Conflicts with:
6. RPMs required:
Intel: ftp://updates.redhat.com/6.0/i386/
kdeadmin-1.1.1-1.i386.rpm
kdebase-1.1.1-1.i386.rpm
kdegames-1.1.1-1.i386.rpm
kdegraphics-1.1.1-1.i386.rpm
kdelibs-1.1.1-1.i386.rpm
kdemultimedia-1.1.1-1.i386.rpm
kdenetwork-1.1.1-1.i386.rpm
kdesupport-1.1.1-1.i386.rpm
kdetoys-1.1.1-1.i386.rpm
kdeutils-1.1.1-1.i386.rpm
korganizer-1.1.1.i386.rpm
kpilot-3.1b9-1.i386.rpm
Alpha: ftp://updates.redhat.com/6.0/alpha/
kdeadmin-1.1.1-1.alpha.rpm
kdebase-1.1.1-1.alpha.rpm
kdegames-1.1.1-1.alpha.rpm
kdegraphics-1.1.1-1.alpha.rpm
kdelibs-1.1.1-1.alpha.rpm
kdemultimedia-1.1.1-1.alpha.rpm
kdenetwork-1.1.1-1.alpha.rpm
kdesupport-1.1.1-1.alpha.rpm
kdetoys-1.1.1-1.alpha.rpm
kdeutils-1.1.1-1.alpha.rpm
korganizer-1.1.1.alpha.rpm
kpilot-3.1b9-1.alpha.rpm
Sparc: ftp://updates.redhat.com/6.0/sparc
kdeadmin-1.1.1-1.sparc.rpm
kdebase-1.1.1-1.sparc.rpm
kdegames-1.1.1-1.sparc.rpm
kdegraphics-1.1.1-1.sparc.rpm
kdelibs-1.1.1-1.sparc.rpm
kdemultimedia-1.1.1-1.sparc.rpm
kdenetwork-1.1.1-1.sparc.rpm
kdesupport-1.1.1-1.sparc.rpm
kdetoys-1.1.1-1.sparc.rpm
kdeutils-1.1.1-1.sparc.rpm
korganizer-1.1.1.sparc.rpm
kpilot-3.1b9-1.sparc.rpm
7. Problem description:
Red Hat Linux 6.0 shipped with KDE 1.1.1pre2, the latest release
available at the time we went into production. There were a number of
configuration and security bugs in the original packages.
kmail, the kde mail reader, had a bug related to decoding mime
attachments in an unsafe manner. Attachments were written using an
easily predictable filename to a temporary directory. This could
could then be be exploited to overwrite arbitrary files owned by the
person using kmail via a symlink attack.
8. Solution:
Upgrade to KDE 1.1.1 final, which fixes a number of bugs present in
the previous release and contains additional patches to correct
security holes in kmail and kvt.
For each RPM for your particular architecture, run:
rpm -Uvh
where filename is the name of the RPM.
9. Verification:
These packages are PGP signed by Red Hat Inc. for security. Our key
is available at:
http://www.redhat.com/corp/contact.html
You can verify each package with the following command:
rpm --checksig
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
rpm --checksig --nopgp
10. References:
http://www.geek-girl.com/bugtraq/1999_2/0685.html
This URL describes the kmail security hole.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv
iQCVAwUBN2+dVtLHqShaOYAxAQF6XAQAqNuA491aBD2rL9ubjMd1iKZCA9wSUzNm
BRZ5akb7ZZZQQStIkTAxyODnNlVlnfO0TYHJ+AwAVo76oM5Kdzq1R51BP+PTxev3
C+Unppug5NkUMB+DOt4Cr/jB+u5VvSIBK/s33/SjdUUWupHIesOf6mi7F27f/Lix
yApeMatgLcE=
=lU2O
-----END PGP SIGNATURE-----
---
Preston Brown
Red Hat, Inc.
pbrown@redhat.com
PGP public key: http://www.redhat.com/~pbrown/pbrown-pgp-pubkey.txt
Web Webster has more than 20 years of writing and editorial experience in the tech sector. He’s written and edited news, demand generation, user-focused, and thought leadership content for business software solutions, consumer tech, and Linux Today, he edits and writes for a portfolio of tech industry news and analysis websites including webopedia.com, and DatabaseJournal.com.
LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.
Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.